A hack is to use the dnssec-trigger trick Inbound-control forward_add . 127.0.0.127
Sent from my iPhone > On Jun 16, 2015, at 04:58, Mikolaj Kucharski <[email protected]> wrote: > > Hi, > > I'm wondering is it possible to configure Unbound in such a way that > it will return REFUSED for any query, except zones which are explicitly > configured in the config file. > > For example, here is config which allows to resolve "home.lan." and > "example.com." zones but for anything else returns SERVFAIL. Below > behaviour is expected, but I would like for root zone (catch all in this > case) REFUSED to be returned by Unbound. Is that possible? > > I did try config with `local-zone: "." refuse' but that results with > queries for stub-zone or forward-zone giving REFUSED. > > Sample unbound.conf (tests done on version 1.5.2): > > server: > interface: 127.0.0.1 > interface: ::1 > port: 53 > access-control: 0.0.0.0/0 refuse > access-control: 127.0.0.0/8 allow > access-control: ::0/0 refuse > access-control: ::1 allow > hide-identity: no > hide-version: no > use-syslog: no > > # XXX stub and forward zone queries result with REFUSED > #local-zone: "." refuse > > local-zone: "home.lan." static > local-data: "box1.home.lan. 60 A 172.16.0.52" > local-zone: "0.16.172.in-addr.arpa." static > local-data-ptr: "172.16.0.52 60 box1.home.lan." > > stub-zone: > name: "example.com." > stub-addr: 199.43.132.53 > stub-addr: 199.43.133.53 > > # XXX SERVFAILs > forward-zone: > name: "." > > > Queries and their statuses: > > > # good, proper answer > $ dig +noall +comments @127.0.0.1 example.com. > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46932 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 > > > # good, proper answer > $ dig +noall +comments @127.0.0.1 box1.home.lan. > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48527 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > > # bad, SERVFAIL, but I would like REFUSED > $ dig +noall +comments @127.0.0.1 google.com. > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15258 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > > -- > best regards > q# > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
